| commit | author | age | ||
| d9c4cb | 1 | .. _qtut_authorization: |
| SP | 2 | |
| b1b922 | 3 | =========================================== |
| PE | 4 | 21: Protecting Resources With Authorization |
| 5 | =========================================== | |
| 6 | ||
| a5e89f | 7 | Assign security statements to resources describing the permissions required to |
| SP | 8 | perform an operation. |
| 9 | ||
| b1b922 | 10 | |
| PE | 11 | Background |
| 12 | ========== | |
| 13 | ||
| a5e89f | 14 | Our application has URLs that allow people to add/edit/delete content via a web |
| SP | 15 | browser. Time to add security to the application. Let's protect our add/edit |
| 16 | views to require a login (username of ``editor`` and password of ``editor``). | |
| 17 | We will allow the other views to continue working without a password. | |
| 18 | ||
| b1b922 | 19 | |
| PE | 20 | Objectives |
| 21 | ========== | |
| 22 | ||
| a5e89f | 23 | - Introduce the Pyramid concepts of authentication, authorization, permissions, |
| SP | 24 | and access control lists (ACLs). |
| b1b922 | 25 | |
| a5e89f | 26 | - Make a :term:`root factory` that returns an instance of our class for the top |
| SP | 27 | of the application. |
| b1b922 | 28 | |
| a5e89f | 29 | - Assign security statements to our root resource. |
| b1b922 | 30 | |
| a5e89f | 31 | - Add a permissions predicate on a view. |
| b1b922 | 32 | |
| a5e89f | 33 | - Provide a :term:`Forbidden view` to handle visiting a URL without adequate |
| SP | 34 | permissions. |
| 35 | ||
| b1b922 | 36 | |
| PE | 37 | Steps |
| 38 | ===== | |
| 39 | ||
| 40 | #. We are going to use the authentication step as our starting point: | |
| 41 | ||
| 42 | .. code-block:: bash | |
| 43 | ||
| 187104 | 44 | $ cd ..; cp -r authentication authorization; cd authorization |
| d9c4cb | 45 | $ $VENV/bin/pip install -e . |
| b1b922 | 46 | |
| a5e89f | 47 | #. Start by changing ``authorization/tutorial/__init__.py`` to specify a root |
| SP | 48 | factory to the :term:`configurator`: |
| b1b922 | 49 | |
| PE | 50 | .. literalinclude:: authorization/tutorial/__init__.py |
| 51 | :linenos: | |
| 52 | ||
| a5e89f | 53 | #. That means we need to implement ``authorization/tutorial/resources.py``: |
| b1b922 | 54 | |
| PE | 55 | .. literalinclude:: authorization/tutorial/resources.py |
| 56 | :linenos: | |
| 57 | ||
| 58 | #. Change ``authorization/tutorial/views.py`` to require the ``edit`` | |
| 59 | permission on the ``hello`` view and implement the forbidden view: | |
| 60 | ||
| 61 | .. literalinclude:: authorization/tutorial/views.py | |
| 62 | :linenos: | |
| 63 | ||
| 64 | #. Run your Pyramid application with: | |
| 65 | ||
| 66 | .. code-block:: bash | |
| 67 | ||
| 187104 | 68 | $ $VENV/bin/pserve development.ini --reload |
| b1b922 | 69 | |
| d749bf | 70 | #. Open http://localhost:6543/ in a browser. |
| b1b922 | 71 | |
| PE | 72 | #. If you are still logged in, click the "Log Out" link. |
| 73 | ||
| a5e89f | 74 | #. Visit http://localhost:6543/howdy in a browser. You should be asked to |
| SP | 75 | login. |
| 76 | ||
| b1b922 | 77 | |
| PE | 78 | Analysis |
| 79 | ======== | |
| 80 | ||
| 81 | This simple tutorial step can be boiled down to the following: | |
| 82 | ||
| a5e89f | 83 | - A view can require a *permission* (``edit``). |
| b1b922 | 84 | |
| a5e89f | 85 | - The context for our view (the ``Root``) has an access control list (ACL). |
| b1b922 | 86 | |
| a5e89f | 87 | - This ACL says that the ``edit`` permission is available on ``Root`` to the |
| SP | 88 | ``group:editors`` *principal*. |
| b1b922 | 89 | |
| a5e89f | 90 | - The registered ``groupfinder`` answers whether a particular user (``editor``) |
| SP | 91 | has a particular group (``group:editors``). |
| b1b922 | 92 | |
| a5e89f | 93 | In summary, ``hello`` wants ``edit`` permission, ``Root`` says |
| b1b922 | 94 | ``group:editors`` has ``edit`` permission. |
| PE | 95 | |
| a5e89f | 96 | Of course, this only applies on ``Root``. Some other part of the site (a.k.a. |
| SP | 97 | *context*) might have a different ACL. |
| b1b922 | 98 | |
| a5e89f | 99 | If you are not logged in and visit ``/howdy``, you need to get shown the login |
| SP | 100 | screen. How does Pyramid know what is the login page to use? We explicitly told |
| 101 | Pyramid that the ``login`` view should be used by decorating the view with | |
| 102 | ``@forbidden_view_config``. | |
| b1b922 | 103 | |
| a5e89f | 104 | |
| SP | 105 | Extra credit |
| b1b922 | 106 | ============ |
| PE | 107 | |
| a5e89f | 108 | #. Do I have to put a ``renderer`` in my ``@forbidden_view_config`` decorator? |
| a51276 | 109 | |
| 5fc95b | 110 | #. Perhaps you would like the experience of not having enough permissions |
| b1b922 | 111 | (forbidden) to be richer. How could you change this? |
| PE | 112 | |
| a5e89f | 113 | #. Perhaps we want to store security statements in a database and allow editing |
| SP | 114 | via a browser. How might this be done? |
| b1b922 | 115 | |
| a5e89f | 116 | #. What if we want different security statements on different kinds of objects? |
| SP | 117 | Or on the same kinds of objects, but in different parts of a URL hierarchy? |
